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1.- The speaker 


Software 
Ni J o Transparency 
A Foundation 


Software Transparency Foundation (STF) Board 
member. 

Continuous Delivery, FLOSS, data analytics, agility 
and remote work advocate 


Independent consultant helping companies in two 
ways: 

o Applying advanced data analytics to production 
environments to increase delivery performance, partnering 
with Bitergia, through a service offering called Delivery 
Performance Analytics 

o Increasing their organizational performance by becoming 
good open source citizens, like inthe case for SCANOSS, as 
their Ecosystem Manager 

Other activities 

o SwHAmbassador. 

o KDEe.V.member. KDE España founder member. 
More about Agustin 

o Background: MBition (Mercedes Benz), SUSE, Linaro, Eclipse 
Foundation, Codethink... 

o Blog -About - Talks 


Agustín Benito Bethencourt 
@toscalix ° 


2.- Introduction 


Software Composition Analysis (SCA) NU = 


Learn about Frankie: Frankie |. Frankie 2 


Software composition analysis (SCA) is an automated process that examines a 
codebase to identify all its components for various purposes: 

e Detect dependencies (code management) 

e Identify licenses (license compliance) 

e Asses potential vulnerabilities (code quality) 

e Identify crypto algorithms (export control) 


e Security compliance, quantum safety, anti-plagiarism... 


SCA market NU eee 


e SCAmarket started as a proprietary monopoly 
e OSS grew but that monopoly remained 


e lsit feasible to disrupt this market with: 
o OSS Business Model? 


o Open Data Business Model? 


e SCANOSS challenges the status quo: 


o Opensource software journey: every tool and componentis OSS 


o Opendatajourney: OSS KB + open data sets 


About SCANOSS NU eee 


e Leaders: Alan Facey (CEO) and Julian Coccia (CTO) 
e Registered in Madrid, ES. +30 staff. 


e SCANOSS is an open source software company 


o Every software (developed or consumed) is OSS, including the APIs, algorithm 
implementations, plugins, tooling... 

o  Youcan build your own KB and tools using SCANOSS software 

o Several open Source and proprietary tools use SCANOSS software today 


e SCANOSS isa data company. IP: knowledge base (SCANOSS KB) of 
published-only OSS and mining network 


e SCAN OSS is onan open data journey 


o OSSKBisasubset of SCANOSS KB. SCANOSS provided a perpetual license to STF to 
provide free (gratis) access to OSS KB 
o SCANOSS is publishing open dataset for various purposes: security, export control, etc. 


Software Transparency Foundation (STF) NO = 


e Spanish foundation originally promoted by SCANOSS 
e Mission: Solving Software Supply Chain Transparency 
e STF provides confidential and free (gratis) access to OSS KB, guarantees a 
QoS so everyone canuse it and provides a SBOM Ledger 
e STFholds aperpetual license to host and provide access to OSSKB 
© Support STF: 
o Asnon-profit: create a mirror and provide higher throughput for your members 
o Asorganization: sponsor STF to maintain/rise QoS for everyone and yourself 
o  Asindividual: use and promote OSS KB 


e Web. Linkedin > is 
> ransparency 


Foundation 


3.- OSS KB and Workbench 


About OSS KB NU eee 


e OpenSource Software Knowledge Base is a subset of SCANOSS KB 
e Itisencrypted, maintained by SCANOSS for STF 

e OSS KB is mostly focused on license compliance 

e Accessible through STF or its mirrors via API 


e TheAPIto access OSS KBis OSS so 


o There are severalimplementations: .go, .jS, .DY 


o CLlandwebhook available 


o Youcanuse the API in your own tools like several tools do today, like FOSSology... 


About Workbench NU ee 


e sbom-workbenchis an auditing GUI tool to complete your SCA: 
o file indexing and scanning 
o dependency scanning 
o vulnerability scanning 


o search indexing 

e Workbench supplies information about your source code which includes 
reporting on the components and their corresponding dependencies, 
providing insights on licenses and incompatibilities. 

e Workbench is GPL-2.0-only and uses OSS KB API by default 


4.- It’s demo time! 


z WHO Software 
Links and references NU =>" 


e Software Transparency Foundation: STF 
e SCANOSS website. SCANOSS OSS at GitHub 
e OSS KB. API 


e Workbench 

o Workbench on GitHub 

o Lateststable release v.1.12.4. Download Workbench via Flathub (new) 
e Videos 

o ToolReview: SCANOSS Audit Workbench 

o SCANOSS Python Tool 


5.- Takeaway 


Takeaway 


You can't protect or comply with 


what you cannot see 
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Takeaway NU eee 


Curating software and creating SBOMs is a 


challenge for any developer 


Takeaway NU eee 


Software curation and SBOMs availability 
makes the consumption of your KDE software 


safer... 


.. especially in an Al-driven world 


Ta keaway NU Transparency 


Workbench + OSS KB is a solid and affordable 


solution to this challenge for KDE developers 


Thank you 
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